November 10, 2008, 9:11 AM — One of the most notorious networks of hacked computers used for sending spam could be generating as much as US$3.5 million per year peddling drugs such as Viagra, according to new research.
While filters used by e-mail providers Yahoo, Google and Microsoft halt a vast amount of spam, messages squeak through and reach receptive buyers.
The study was carried out by infiltrating the Storm botnet, a robust peer-to-peer system that commands millions of hacked computers to send spam campaigns.
The researchers modified Storm's command-and-control system to insert their own links in spam messages that lead to Web sites they created instead of the one's spammers were advertising.
One of the Web sites advertised pharmaceuticals, and the other mimicked an e-postcard site. E-postcard spam often leads to Web sites that try to infect PCs with malicious software that causes the machines to send Storm-related spam.
Both sites the researchers created were harmless: The drug site would return an error if someone tried to buy something, and the e-postcards site contained a benign executable. The sites reported attempted purchases and whether the executable ran.
The researchers monitored how many messages reached inboxes and whether the messages lead to a purchase or infected a PC with malware.
Over the course of the spam campaigns, some 469 million e-mails were sent. Of the 350 million pharmaceutical messages, 10,522 users visited the site, but only 28 people tried to make a purchase, a response rate of .0000081 percent.
"However, a very low conversion rate does not necessarily imply low revenue or profitability," the researchers wrote.
The average purchase price was $100. Calculating how much pharmaceutical spam Storm sends out daily, revenue could top $7,000 per day. Per year, revenue would hit $3.5 million.
"This number could be even higher if spam-advertised pharmacies experience repeat business," they wrote.
Still, sending spam is expensive. It would cost upwards of $25,000 to send 350 million messages, which is too much to likely make a profit on the conversion rate observed.
The researchers said it suggests a business model where those running the Storm botnet are also involved in running the drug Web sites.
"If true, the hypothesis is heartening," they wrote. "It suggests that the third-party retail market for spam distribution has not grown large or efficient enough to produce competitive pricing."
The upshot is that spammers and Storm network operators may be working on tight margins in order to make a profit, and their campaigns are "economically susceptible to new defenses," the study said.
The response rate to spam luring people to e-postcard sites was higher. The researchers estimated that a Storm self-propagation campaign, which seeks to infect new PCs to maintain the network, could result in 3,500 to 8,500 new bots per day.
The research was done by the computer science departments of the University of California at its Berkeley and San Diego campuses.
